evntwin, or the Windows Event to SNMP trap translator is a very powerful build-in utility contained within all Windows operating systems which allows you to take any Windows Event and generate a SNMP trap from it. This is especially useful for tying into WhatsUp® Gold’s passive monitor system.
The problem
Have you ever had an issue working with the WinEvent passive monitor? You are not alone. Since the WinEvent passive monitors are using WMI to get their information, there can be a lot of outside variables to take into account. Are you using the proper credentials? Are your forward and reverse DNS entries correct? Is WMI properly allowed through the firewall on both ends? In a sense, depsite being called a passive monitor the WinEvent listener in WhatsUp® Gold is not “passive”.
The way it works is it registers for events. i.e. you want to collect all Event ID 1234. You create a WinEvent passive monitor, you apply it to a device. Then WhatsUp® Gold tells the device “If you receive Event ID 1234, tell me and give me the output”. However WhatsUp® Gold is checking to ensure the connection for this registration is there every 60 seconds by default regardless of whether or not the connection has been broken. Since the WinEvent listener is dependent upon this connection existing it is possible to miss up to 60 seconds of events whenever the connection is broken. For example, a reboot of the device or a restart of the WhatsUp® Gold services.
The solution
To me Windows Event Passive monitor implementation discussed above never made sense. This is where evntwin comes to the rescue. Evntwin is a great alternative and it is very easy to configure and use. As mentioned above, the full name is the ‘Event to Trap translator’. And yes, this is built into all Windows operating systems. You do not need to download or install anything. Using the Event to Trap translator is simple and is much more reliable than depending on the WMI connection. The SNMP trap will always be sent, even when the server is first booting. This is a true passive monitor because WhatsUp® Gold will literally be just listening for the that SNMP trap to come in.
Evntwin Step-by-Step Configuration
First, you’ll need to launch evntwin. Navigate to Start > Run (in 2012 and up, right-click start and select ‘Run’) And then simply run: evntwin as you see below.
This will launch the Event to Trap Translator. Now we want to tell it which Windows events we’d like to generate SNMP traps for. Select ‘Custom’ and then click ‘Edit’
You’ll notice ‘Event sources’ lists quite literally every Windows event the system is capable of generating. Find your specific event you care about, select one (or multiple) and left-click ‘Add’
Now simply hit ‘Apply’ and ‘OK’.
Restart the Windows ‘SNMP Service’ and you are all set. From here on out, your desired Windows Events will also generated SNMP traps. When those events come in, the system will send a SNMP trap to whatever is configured in the ‘Traps’ tab of the SNMP service on that server.
You can also export the event lists and save as a file. Then you can use that file to apply the configuration to other systems using ‘evntcmd’. This operation can be scripted to run against many systems.
Once you Exported and saved your .cnf file, just run the following from command line. The command will configure evntwin with the same events you setup manually in the previous steps and also restart SNMP:
eventcmd -s Hostname C:\path\to\file\events.cnf -n
WhatsUp® Gold Configuration
Now you configure WUG to listen for those events. I will update this soon with more detailed information…
And apply it to the device. Note: In this example, I am listening for that event ID and matching a certain description. These examples are looking for logon/logoff security events. Here is a list of logon types. Its important to consider formatting of the event description when adding a ‘match on’. Logon Type: 10 must be formatted with many spaces…copy and paste works best, for reference: Logon Type: 10
